What?

• Book an interview with the TBS in Brief team to find out how they do it
• Bryan has the information to get in touch with the TBS Internal Comms group which is under SCMA (Strategic Communication and Ministerial Affairs)
• Find out their process, how it is sent, what problems they have
• Log their use case in Drive

Why?

• They are close to us and their use case is a valid one to explore

What?

• Find UI things we need to change
• Find UI things we need to translate
• Find code of UI things to Translate
• Find all the things we need to re-write such as content in footer or kill
• Find where it says letters so we can get rid of them
• What pages should we kill?
• Should we merge some pages?
• Put this all in a Google doc or a github wiki for the team to reference

Why?

• We don't want to confuse people

What?

• How much does it cost the government to send email notifications to people now?
• MailChimp costs for news letters?
• What other services are used there and what are there costs? Such as outlook mailing lists? How much does that actually cost SSC? is it trivial?
• Is there a labour cost we are replacing by allowing them to send from software directly with our API? What does that equate to?
• If anyone is sending SMS messages, how much does it cost them?

Why?

• We should know how much people currently are paying out of their budgets for when they need to send people email notifications so we can use this as a performance indicator of money saved.

What?

• Create a wiki article about what changes we had to make to get it up and running on K8S
• Wiki about What did we need to change with Email and SMS to get them in Canada? our providers?
• What do we need to change to make french work for the UI and templates

Why?

• Documentation will make it easier to recreate what we have done to modify the product for our purpose. There is a lot of existing documentation on Gov.uk we can borrow when we need documentation, but we need to stay on top of new stuff we do so we can merge documentation back later.

What?

• AU uses https://www.firetext.co.uk/ would that work for us?
  If not
• How can we connect instead to https://www.twilio.com/sms to send SMS in Canada?
• Or https://aws.amazon.com/sns/sms-pricing/ may be easier?

Why?

• Sending SMS is not currently a service that the GoC has and this would help differentiate us from other Email notification systems

What?

• Find out who runs Services - IT Service Desk_Bureau de service de la TI
• Interview them about their Use case
• Log their use case in Drive

Why?

• TBS is easy for us to reach out to and collect information from. They may want to use our solution and so not only does this research but it can help us find new clients.

Dependancy: https://github.com/cds-snc/CANotifier/issues/28

What?

• If we send emails to people they need to be able to unsubscribe easily, Does the Notify fork have that?
• SMS needs to be able to unsubscribe too, is there a mechanism for that? Can they text back something to unsub them? do we need to send a message explaining that when we SMS some one for the first time?
  If no:
• Create a simple way for people to unsub from emails, put a herf in emails that takes them out of the list and store them in a db as to block them from getting future emails from the CANotifier System (Just to be safe, we could isolate it to that user or department in the future but lets keep it simple for now.)
• SMS needs a way too, like a user replies with No or Non to remove them. We could ask them yes or no
• Needs to be in both official languages

Why?

• We aren't sure if CASL applies to government communications but we don't want to be accused of sending unsolicited communications people can't get out of and have it be true.

What?

• We need to know how the government sends stuff out currently (I believe the current most popular solution is outlook mailing lists)
• a Sample size of different groups and how they send notifications

Why?

• We need to know what we are trying to displace and be better than

What?

• Crown copyright on bottom of pages needs to go

Why?

• I don't think it applies

What?

• Put in toggle to switch the UI to French that sets a session variable.
• Detects browser language

Why?

• Official Language support
• Usability testing
• I imagine we will have French users

Dependant #43

What?

• Once we have it up and running we need to validate that the Notify system is WCAG 2.1 Level AA compliant
• Run it through our Accessibility testing software if possible if not, let me know. I will Talk to Julianna about a sweep so we can integrate that feedback into design.

Why?

• If we add stuff to it that isn't we will just end up making more work for ourselves. It should be so let's validate it.

What?

• We have to use a different font
• This could change the layout so things will have to be tweeked and redesigned
• Can we find a font that is similar in shape, size, and kerning, to minimize problems
• How hard is it to swap the font?

Why?

• GDS owns the rights to their font and we don't

What?

• Gov.uk says their login has 2fa, does our fork have that on by default?
• Can we use SMS for 2FA even though it isn't the best option?
• Can it be disabled while we build and test?

Why?

• We probably need 2fa if we are going to be storing peoples names, emails, phone numbers, and other person information.

What?

• When users create a service. EG Bryan's Service it creates an email [email protected]
• Does the email need to be [email protected]?
• Or can we get away with having the users create two services. Bryan's Service and Service de Bryan?

Why?

• We want to ensure legal compliance with the official language act

What?

• Gov.uk notify has a performance dashboard here https://www.gov.uk/performance/govuk-notify
• Can we have a similar one?
• would it come on a page like this on the notify domain?
• would we put it on our own dashboard tech?

Why?

• We will have to demonstrate the performance of the tool to show our success, automating that would be easier.
  This isn't Necessary as we can always get the data later manually but it would be nice to have.

What?

• Column in a CSV upload French or English needs to be supported, could have values like Eng, Fr, English, French, Francais, E, F, 1,0,2 and we need to be able to have users match that up to a template if they are sending a communication in both official languages
• Needs to be able to be utilized by the API so that a connected service using us for notifications can send it in a language
• Upload interface needs to reflect that this is possible as does the ability to create two templates so we need a design that can be implemented for this.
• We need to update the existing Notify design to support these additions

Why?

• All the currently used solutions and private sector solutions thing of bilingualism as an after thought, we need to make it a core feature to boost our value prop of the software.
• If users opt into a news letter they often select the language they which to receive communications in.

Notes

• One email with both languages is a good first step, this can happen later, but is a valid GoC federal usecase

Dependancy: https://github.com/cds-snc/CANotifier/issues/20

What?

• Implement our designs for the two use cases of french messages
• CSV uploads or API calls can have a users language. Based on this is sends either the English or French template message, unsub messages, et al.
• Template creation, means you need to create two now

Why?

• French support is a key differentiator and Value prop for this tool as the private solutions consider this an after thought.

What?

• The Gov.UK has a list of approved domains
• Clear it
• Add cds-snc.ca, tbs-sct.gc.ca, and canada.ca
• Tell me how to add more to it

Why?

• The service is only for Fed Gov, Provincial Gov, & MASH and without a master list we will have to go ad hoc.

What?

• Do we want a Mono Repo?

Why?

• Makes it easier to make changes
• Makes it hard to push upstream changes

What?

• Are we in the clear if we let people upload and send information to recipients if they have already collected the info and are cleared to use it for that purpose?
• How secure does it need to be?
• Is it ok to be stored in logs or should it be scrubbed?
• If our infrastructure (AWS?) cleared for protected B are we ok?
• The software shows messages that didn't send. Do they matter since they didn't make it? Can we assume the info is wrong?

Why?
Here is what came out of consultation with Legal Services.
It boils down to “how many pieces of information we can collect about an individual” before we can cross reference data and infer identity. The answer is two. As long as we are not collecting more than two “identifiers”, we are compliant.

An Example would be
Identifier #1: Language of user
Identifier #2: Email address

What?

• Can we adapt CANotify to use AWS SES https://aws.amazon.com/ses/ for sending emails? instead of what it currently uses? Does it use that? if so Great!
• In the UI Is there anyway for the Sender to configure the reply address? or the API?
• Anyway to configure SPF records?

Why?

• We need emails to go out and not trigger spam blacklisting by email services so that government agencies can be confident the emails will get through.
• We may one day need to support replies to the emails sent so if it doesn't have that it may be a future feature.

Reducing a Spam score of a message

• Less emails coming from one place to an email service (E.G. Sending 1000 emails to Gmail in 5 seconds is going to get us blocked)
• Allowing a user to set a reply too address so that it isn't No Reply can also reduce spam scoring
• Fill a proper subject line
• Avoid HTML errors in the messages
• Use normal text in a URL instead of the URL

What?

• Take the English content and get it translated
• Get that content reintegrated

Why?

• The official language act means that we have to support both English and French.
• I want to be able to usability test this with Francophones

What?

• Says 8 characters, no other rules
• There is a black list of common passwords such as '1111111'
• We need to enhance this for GoC spec to remove Canada works and departments

Why?

• The system will have protected info in it and we need to ensure its security.

What?

• How does the Privacy act impact what we can and can't allow with the service?
• Are we liable for people miss-using the service?
• Legal opinion of how this impacts our work
• Ontario Notify team said that they can't put names in the emails since they are not encrypted, is that true for us?
• Should we hide any personal information in the logs?

Why?

• We wish to be compliant with all laws to reduce risk and meet ethical requirements

What?

• We need styling for UI elements
• A colour scheme for link colours(Current #005ea5), link hover, dashboard boxes(#005ea5), Success states, failure states(#b10d1e), no failures(#01823b), search buttons (#01823b), Link&page highlights(#ffbf47), and box/button highlights(#dee0e2)
• Font styles (Currently Arial/Helvetica has been used to replace GDS proprietary font)
• Drop shadows like they have on buttons seem to be used to denote a button or a highlight box.

Why?

• We need something that reflects the nature and ownership of the service
• We want to give it a Government of Canada or CDS feel rather than a GDS Feel

Notes

What?

• We need people to test with who current have the problem we are trying to solve
• Put people into a doc whom we can contact
• Categorize them based on our personas (Start of this doc https://docs.google.com/document/d/1_7SNp-7JTR16uPM87Bw-MAmZcAhp7pwsKh1YsCjSBtc/edit# )

Why?

• Finding usecases
• Validating usecases
• Future usability testing

What?

• Please purge UK PII from our copy of the DB

WHY?

• Because we don't want it.

What?

• Google Doc of a usability testing plan for Recipients

Why?

• Once we have everything up and running we need to preform usability testing plan with Recipiants

What?

• Get CANofity working with our Branch Review app
• Dependant on Moving CANotify to K8S

Why?

• usability testing our own tech
• Reviewing and approving our changes made easier

What?

• GDS says they have an option to scrub the logs. It looks like info is only kept for 7 days anyway.
• Do we have that option?
• Can we turn that on or is it on by default?
• It stores the emails to show which ones bounces, can we still save bounces since they didn't work the emails don't reveal PII?

Why?

• If we aren't storing emails in Logs it reduces privacy complexity

What?

• Dependant on putting CANotify on K8S
• Stand up the Web-report so we can monitor security
• When should we write the stub checks?

Why?

• We should use our own tech. If we don't want to then we should make it better so we should. This is a good test of 'eating our own dog food'

What?

• Strip out branding from emails
• Replace with GoC Logo

What?

• Standup/Migrate CANotify on K8S
• Using whatever infrastructure provider we need to best support protected A/B, is that AWS?
• .yaml file to manage docker containers? (I hope this still uses docker like Gov.uk notify)

Why?

• If we set it up on K8S proper it will improve the service accessibility and reliability.
• We can have new containers appear when the service goes does and also stand up security goals, branch reviews, et al.

What?

• Dependant on standing up CANotify and the web interface or at least looking at the code
• Does it support Markdown? HTML? Plain Text? French Characters?
• How can we send Images?
• Gov.uk Says attachments are an optional feature, how do they work in our implementation?
• How do the Variables work? Tags from the CSV?

Why?

• The senders will care about what they can send and it directly impacts the use cases we can support

What?

• https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-privacy-act/
• We need a warning message on the page that states users must be compliant with the privacy acts rules around Fair use of the emails of numbers they are uploading
• We need to figure out how the privacy act applies to SMS and Email notifications and write elements to put in the UI
• Figure out where in the UI we need them

Why?

• Legal Requirement

What?

• We need a URL to put the service on that is bilingual, available, and looks official
• Talks have pointed us too The winner is Notification.Alpha.Canada.Ca
• please add notification.alpha.canada.ca to https://github.com/cds-snc/dns
• please update any URLs, Repos, to reflect Notification as the name.

Why?

• Official languages act
• don't want people/mail services to disregard us as spam

What?

• compliance with https://en.wikipedia.org/wiki/Federal_Identity_Program
• Electronic Communications need to be signed with Canada Logo
• Replace the Gov.UK notify branding with our branding

Why?

• Requiring images means requiring attachments which means working to support that for GoC users specifically

What?

• Without SMS we can't validate our accounts
• We need to have everyone an account with their email that is active and can be used.

Why?

• if we are going to review and test it we need to be able to get into the system
• if we are going to have people Usability test we need to grant them access

What?

• Crown favicon should be canada.ca maple leaf fav icon
• Can we change the Page Meta Title too so it doesn't say Gov.uk Notify?

Why?

• We don't want people to think we are monarchists

What?

• Example, I don't think we can upload and send peoples SIN numbers to them, but maybe we can?
• ODS said that they can't include peoples names, do we have that limitation?
• What is taboo or off limits from an info classification level? does it vary from Unclassified, Prot A, Prot B?
• Are there other things we can't send because of Privacy or consent notifications?
• We need a message in the UI telling them this, warning the senders

Why?

• We are assuming some liability with this tool and to avoid that we need to advise them what they can't use the system for to cover ourselves.

What?

• Figure out what Github actions we can apply to the repos
• What actions we should
• Then apply them

Why?

• Test our own tech and ensure we don't make little mistakes.

What?

• put it up on canotify.cds-snc.ca
• Should we just have it as a dev review URL for now?
• Validate that we have domain verification for @cds-snc.ca on AWS for sending emails

Why?

• Min req is We need people to be able to access it so they can usability test and review so if we have a URL to send to people I don't mind what it is.
• Emails need to work as well so we need a default domain for them to come from

What?

• Google Doc of a usability testing plan for Senders

Why?

• Once we have everything up and running we need to preform usability testing plan with senders

What?

• Get the nightly job running and see what it does

Why?

• We need all the parts of the service up and running for evaluation

What?

• We build a one off notification api system for IRCC to send email notifications
• What other Gov Products and Services are there that could use Email, or more important SMS?
• Does anyone currently send SMS?

Why?

• We need people who could use out notification system API
• SMS is a big value add and competitor differentiator.

What?

• We need to make sure that all our tests are passing
• 188 tests are failing, some for example look for text like gov.uk notify

Why??

• We need to know if our updates are causing more issues

What?

• Colours are pulled in via an NPM from a deprecated UK repo
• We need to update the colours to CDS agreeable ones (Use the colour pallette from digital.canada.ca, Black, white, Dark grey, yellow highlights) As a placer holder until we get design help
• Replace Gov.uk UI logos with GoC logo

Why?

• Doesn't look very good and creates some design faults
• Should be considered with the Font change in https://github.com/cds-snc/CANotifier/issues/24

What?

• Gov.uk terms of use need to be rewritten for us
• see them here https://notifier.cdssandbox.xyz/features/terms

Why?

• We can't hold people to a standard that isn't ours

What?

• CASL is a thing https://www.fightspam.gc.ca/eic/site/030.nsf/eng/home
• Does it apply?
• How does it apply?
• What do we need to be compliant?
• Do people need to Opt-in? or can Senders still upload people?

Why?

• We don't want to break CASL laws

The templates have hardcoded Google Analytics values. These need to point to our Google Analytics account + be pulled in via .env vars.